20 Questions Security Pros Should Ask Themselves Before Moving To The CloudA template for working collaboratively with the business in today's rapidly changing technology environment.
Everywhere I go lately, the cloud seems to be on the agenda as a topic of conversation. Not surprisingly, along with all the focus, attention, and money the cloud is receiving, comes the hype and noise we’ve come to expect in just about every security market these days. Given this, along with how new the cloud is to most of us in the security world, how can security professionals make sense of the situation? I would argue that that depends largely on what type of situation we’re referring to, exactly. And therein lies the twist.
Rather than approach this piece as “20 questions security professionals should ask cloud providers,” I’d like to take a slightly different angle. It’s a perspective I think will be more useful to security professionals grappling with issues and challenges introduced by the cloud on a daily basis. For a variety of reasons, organizations are moving both infrastructure and applications to the cloud at a rapid rate - far more rapidly than anyone would have forecast even two or three years ago.
As security professionals, we are way beyond the point of simply being able to tell the business they cannot move certain things to the cloud. Instead, we need to work collaboratively with the business to mitigate the risks introduced by the changing business environment. Given that we find ourselves in this situation, we need a different approach. What are 20 questions security organizations should be asking themselves as the business moves to the cloud?
By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.
- Do we know how much it costs to build, maintain, and operate data centers? That is the first step to understanding the pressure the business is under.
- Have we opened up the lines of communication and listened acutely to the business? Before we can expect the business to listen to us, we need to build bridges, gain trust, and listen to the business.
- Do we truly understand the needs of the business? It’s hard to convince the business that we have their best interests in mind when we don’t fully understand what that means.
- Do we knee jerk? We must be honest with ourselves to determine if we are truly behaving proactively, or if we are merely behaving reactively.
- Do we always say no? We must be careful not to be the program of no to a business that will increasingly roll its eyes and work around us.
- Are we focused on mitigating risk rather than simply playing whack-a-mole? We need to think holistically and strategically about mitigating risk. We don’t want to win the battle but lose the war.
- What infrastructure has been or will be moved to the cloud? It helps to know what infrastructure we are looking to protect when we set out to protect it.
- What applications have been or will be moved to the cloud? It also helps to know what applications we are looking to protect when we set out to protect them.
- Are we able to enumerate the top five or 10 risks introduced by the move to the cloud that concern us? That’s generally a good place to begin when looking to mitigate risk.
- Are we certain that the move to the cloud always introduces additional net risk? While it is true that certain risks may be introduced, it is also quite likely that some legacy risks may actually go away.
- Are we positive that we can secure something better than someone whose core business depends on it? Granted, not all cloud providers are equal, particularly when it comes to security. But if the provider takes security seriously, they can bring resources and economies of scale to securing our applications and data that we will never be able to bring.
- Is all really lost when applications move to the cloud? It is entirely possible that a new infrastructure will give us visibility into applications like we’ve never had before. But we have to involve ourselves as a friend of the business from the beginning.
- Are we focused on data? In the cloud, it’s more about protecting data, and less about protecting infrastructure and assets.
- Have we considered the economics of the cloud for our own internal security purposes? Not all security products and services need to be racked and stacked in-house anymore. In fact, some of the most interesting ones are cloud-based.
- Have we looked into simplifying our own security stack in the cloud? As technologies mature, it may make sense to take a strategic look at consolidating and simplifying security infrastructure as well.
- Have we looked into the efficiency gains and operational scale the cloud can bring us? Trying to run a query across several months’ worth of data on a 2U vendor appliance can be painful. But with the scale that the cloud provides, that same query can return lightning fast.
- Do we have have the necessary visibility into infrastructure and applications in the cloud? If not, how do we plan to gain that visibility?
- Have we considered how we will retain response capability with the move to the cloud?
- Have we thought about looking to the endpoint as a potential source of visibility and control as the traditional enterprise infrastructure slowly disintegrates before our very eyes?
- Are we focused on the big picture? The cloud is relatively new and can seem a bit scary, but have we thought about the fact that if we do our homework properly, we may even end up with a better security posture than we had before the move to the cloud?
Nearly all security professionals today are grappling with the business moving to the cloud in one form or another. While a few years ago, the mere thought of this happening would have seemed nearly impossible, it is now the reality we live in. As security professionals, we owe it to ourselves to ensure we ask the right questions and make the right preparations as the landscape changes before us. Otherwise, we simply have our heads in the clouds.
Josh is an experienced information security analyst with over a decade of experience building, operating, and running Security Operations Centers (SOCs). Josh currently serves as VP and CTO - Emerging Technologies at FireEye. Until its acquisition by FireEye, Josh served as ... View Full Bio